You’ve Identified Security Risks with - Blue Sky eLearn · PDF fileYou’ve...
34
-
Upload
duongkhanh -
Category
Documents
-
view
213 -
download
0
Transcript of You’ve Identified Security Risks with - Blue Sky eLearn · PDF fileYou’ve...
You’ve Identified Security Risks with a SaaS Vendor. So What?
Sandy Silk, CISSP Harvard University
What do they want?
or
What are you seeking?
4
What’s most likely?
My favorite three questions! 1. What’s at risk if we don’t do this? 2. Who is the business owner of this project? 3. What else should I know about this?
Can we change anything? » Are there other vendors in this space? » Have we already signed the contract? » Is this already deployed? » What application elements are configurable? » What processes do we manage directly?
Set context. What happens if… » …data is stolen or exposed?
• Types of data elements – PII, R&D, embarrassing… • Volume of records in the system
» …data gets modified or corrupted? • Transactions or decisions based on data points • Implications to life safety, medical treatment, financials…
» …system or data is unavailable? • Manual processes or alternate systems? How sustainable? • Can we adjust any deadlines? Wiggle room?
Which are your realistic threats?
Always!
Where are breakdowns most likely?
A bad system will beat a good person every time. -W. Edwards Deming
Incident classification patterns 17.7%
16.3% 15.1%
15.0%
13.8%
12.4%
8.3% 0.8%
0.4% 0.2%
1/2 of all incidents are caused by
people.
N= 64,199
Source: 2016 Verizon Data Breach Investigations Report
Breach classification patterns 40.2%
23.2% 8.7%
7.6% 6.9%
5.5%
3.8%
2.5%
2.2%
2/3 of all breaches leverage app-level
vulnerabilities.
N= 2,260
Source: 2016 Verizon Data Breach Investigations Report
Who’s responsible for what? Your
Responsibility
SaaS Vendor
directly
via contract
Your Data
Storage
Access to confidential information
Source: 2016 Ponemon Institute: Closing Security Gaps to Protect Corporate Data
Excessive access
Source: 2016 Ponemon Institute: Closing Security Gaps to Protect Corporate Data
Access review
Source: 2016 Ponemon Institute: Closing Security Gaps to Protect Corporate Data
Who will review access on this system?
What’s the data value to others? Type US Europe, Canada, Australia
PCI w/code $5-$8 $20-$30
PHI $15 $25-$30
PII $15 $30-$35
“Fullz” $30 $35-$45
Bank/Pay accounts 5-12% of available balance
Source: 2015 McAfee Labs, The Hidden Data Economy
You can’t steal what’s not there! » Opaque identifiers vs. names/PII
• Breach notification avoidance
» Defined retention schedules • Fewer active records = lower breach impact
Business benefits of reduced PII in SaaS
» Fewer contract riders/faster legal review » Less cyber risk insurance coverage required
Poll #1: Cyber Risk Insurance Does your organization include a cyber risk insurance clause with minimum coverage amount in your vendor contracts?
1. Yes 2. No 3. Considering 4. Don’t know
Plan for phishing & fraud » Leverage federated authentication (SSO)
• Your people, your authentication system and logs
» Disable direct login wherever possible » Truncate PII wherever full data not required » Send confirmations by default, not opt-in
Increase the effort for payout » Reduce PII availability » Use 2FA for high-risk
transactions » Require segregation
of duties for high-risk business processes
Source: 2016 Hewlett Packard Enterprise: The Business of Hacking
Who’s responsible for what? Your
Responsibility
SaaS Vendor
directly
via contract
Your Data
Storage
Does the vendor know their CSP contract? We asked about… They replied… Physical locations, network diagram, most recent security audit?
“N/A since the data centers are operated by [CSP].”
Security Operations, SIEM, IPS?
“Since we don't operate any data centers, we rely on [CSP’s] capability in this space.”
Integrity/Confidentiality of stored data?
“We do not store any client data on our system. Data is stored either on MySQL database or on file systems managed by [CSP].”
Poll #2: Patching process breakdown In 2014, what percentage of all successful exploits attacked vulnerabilities for which patches/fixes had been available for more than a year?
1. 30% 2. 50% 3. 75% 4. 99.9%
Source: 2015 Verizon Data Breach Investigations Report
Application security practices? » “Because of the architecture of the system as
described previously, there are no specific security tests.”
» Should YOUR company perform testing? • Will business take any action? • Will the vendor do anything about vulnerabilities? • What’s at risk for the business?
Change management process? » Yours and theirs… » Not just post-production! » Are you reviewing their test/QA environment? » When are front-ends “open for business?” » Will you be part of change testing?
If you can’t prevent, then detect! » Changes to critical files » Volumes of transactions within regular periods
• Queries from a single account • Records updated within short time period • New/deleted records or accounts
» Alerts for specific activities • Changed configurations/business thresholds • Money movement above set $ amounts • Use of super admin accounts for overrides
What remains as likely or high-impact?
Always!
Explore response options with business: » What if data is stolen or exposed?
• Do we take down the system, specific pages, data fields…? • Whom must we notify and when? • What are the long-term costs/losses?
» What if data gets modified or corrupted? • Do we take down system, specific pages, data fields…? • What are top priority recent transactions to verify or override? • What’s the data restoration plan?
» What if system or data is unavailable? • Manual processes or alternate systems? How long can we sustain? • Can we adjust any deadlines? Wiggle room?
Can the vendor support these
options?
Keep it in perspective! » What’s the risk of not doing this? » What are the most likely risks, and can we
reduce probability or loss from those? » Is the vendor responsive to enhancement
requests?
Write it up!
You’ve Identified Security Risks with a SaaS Vendor. So What?
Sandy Silk, CISSP Harvard University
